You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2023/03/30 07:07:59 UTC
[directory-kerby] branch 2.0.x-fixes updated (70b0e60a -> d37f1a4a)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch 2.0.x-fixes
in repository https://gitbox.apache.org/repos/asf/directory-kerby.git
from 70b0e60a Merge pull request #168 from apache/dependabot/maven/com.alibaba-druid-1.2.16
new 57232360 Adding some tests to make sure signatures are required for JWT tests
new d37f1a4a JWT fix
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../kerb/integration/test/JWTTokenTest.java | 96 +++++++++++++++++++++-
.../kerb/server/preauth/token/TokenPreauth.java | 2 +-
2 files changed, 96 insertions(+), 2 deletions(-)
[directory-kerby] 02/02: JWT fix
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 2.0.x-fixes
in repository https://gitbox.apache.org/repos/asf/directory-kerby.git
commit d37f1a4aa1899375fd083836204acc45a7f6a183
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Mar 30 07:41:54 2023 +0100
JWT fix
---
.../apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index 679011c1..878c6b55 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -97,7 +97,7 @@ public class TokenPreauth extends AbstractPreauthPlugin {
AuthToken authToken;
try {
authToken = tokenDecoder.decodeFromBytes(token.getTokenValue());
- if (!tokenDecoder.isSigned() && !kdcRequest.isHttps()) {
+ if (!tokenDecoder.isSigned()) {
throw new KrbException("Token should be signed.");
}
} catch (IOException e) {
[directory-kerby] 01/02: Adding some tests to make sure signatures are required for JWT tests
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 2.0.x-fixes
in repository https://gitbox.apache.org/repos/asf/directory-kerby.git
commit 5723236092d9fd87b56c2c3004a6d18139cfb226
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Mar 30 07:10:42 2023 +0100
Adding some tests to make sure signatures are required for JWT tests
---
.../kerb/integration/test/JWTTokenTest.java | 96 +++++++++++++++++++++-
1 file changed, 95 insertions(+), 1 deletion(-)
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
index 98b2772f..4b20a45b 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/JWTTokenTest.java
@@ -217,6 +217,55 @@ public class JWTTokenTest extends TokenLoginTestBase {
}
}
+ @org.junit.Test
+ public void accessTokenNoSignature() throws Exception {
+
+ KrbClient client = getKrbClient();
+
+ // Get a TGT
+ TgtTicket tgt = client.requestTgt(getClientPrincipal(), getClientPassword());
+ assertNotNull(tgt);
+
+ // Write to cache
+ Credential credential = new Credential(tgt);
+ CredentialCache cCache = new CredentialCache();
+ cCache.addCredential(credential);
+ cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
+
+ File cCacheFile = Files.createTempFile("krb5_" + getClientPrincipal(), "cc").toFile();
+ cCache.store(cCacheFile);
+
+ KrbTokenClient tokenClient = new KrbTokenClient(client);
+
+ tokenClient.setKdcHost(client.getSetting().getKdcHost());
+ tokenClient.setKdcTcpPort(client.getSetting().getKdcTcpPort());
+
+ tokenClient.setKdcRealm(client.getSetting().getKdcRealm());
+ tokenClient.init();
+
+ // Create a JWT token with an invalid audience
+ AuthToken authToken = issueToken(getClientPrincipal());
+ authToken.isAcToken(true);
+ authToken.isIdToken(false);
+ authToken.setAudiences(Collections.singletonList(getServerPrincipal()));
+ KrbToken krbToken = new KrbToken(authToken, TokenFormat.JWT);
+
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
+ assertTrue(tokenEncoder instanceof JwtTokenEncoder);
+
+ krbToken.setTokenValue(tokenEncoder.encodeAsBytes(authToken));
+
+ // Now get a SGT using the JWT
+ try {
+ tokenClient.requestSgt(krbToken, getServerPrincipal(), cCacheFile.getPath());
+ fail("Failure expected on no signature");
+ } catch (KrbException ex) {
+ assertTrue(ex.getMessage().contains("Token should be signed"));
+ } finally {
+ cCacheFile.delete();
+ }
+ }
+
@org.junit.Test(expected = KrbException.class)
public void accessTokenUnknownIssuer() throws Exception {
@@ -452,7 +501,6 @@ public class JWTTokenTest extends TokenLoginTestBase {
// Create a JWT token
AuthToken authToken = issueToken(getClientPrincipal());
- authToken.setAudiences(Collections.singletonList(authToken.getAudiences().get(0) + "_"));
KrbToken krbToken = new KrbToken(authToken, TokenFormat.JWT);
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
@@ -469,6 +517,52 @@ public class JWTTokenTest extends TokenLoginTestBase {
}
}
+ @org.junit.Test
+ public void identityTokenNoSignature() throws Exception {
+
+ KrbClient client = getKrbClient();
+
+ // Get a TGT
+ TgtTicket tgt = client.requestTgt(getClientPrincipal(), getClientPassword());
+ assertNotNull(tgt);
+
+ // Write to cache
+ Credential credential = new Credential(tgt);
+ CredentialCache cCache = new CredentialCache();
+ cCache.addCredential(credential);
+ cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
+
+ File cCacheFile = Files.createTempFile("krb5_" + getClientPrincipal(), "cc").toFile();
+ cCache.store(cCacheFile);
+
+ KrbTokenClient tokenClient = new KrbTokenClient(client);
+
+ tokenClient.setKdcHost(client.getSetting().getKdcHost());
+ tokenClient.setKdcTcpPort(client.getSetting().getKdcTcpPort());
+
+ tokenClient.setKdcRealm(client.getSetting().getKdcRealm());
+ tokenClient.init();
+
+ // Create a JWT token
+ AuthToken authToken = issueToken(getClientPrincipal());
+ KrbToken krbToken = new KrbToken(authToken, TokenFormat.JWT);
+
+ TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider("JWT").createTokenEncoder();
+ assertTrue(tokenEncoder instanceof JwtTokenEncoder);
+
+ krbToken.setTokenValue(tokenEncoder.encodeAsBytes(authToken));
+
+ // Now get a TGT using the JWT token
+ try {
+ tokenClient.requestTgt(krbToken, cCacheFile.getPath());
+ fail("Failure expected on an invalid signature");
+ } catch (KrbException ex) {
+ assertTrue(ex.getMessage().contains("Token should be signed"));
+ } finally {
+ cCacheFile.delete();
+ }
+ }
+
@org.junit.Test(expected = KrbException.class)
public void identityTokenUnknownIssuer() throws Exception {